diff --git a/livebox.yml b/livebox.yml
new file mode 100644
index 0000000..4f229fd
--- /dev/null
+++ b/livebox.yml
@@ -0,0 +1,67 @@
+## This playbook deploys the LiveBox.
+##
+## The LiveBox provides Debian Live and Installer images on top
+## of an already existing network with minimal modifications to
+## existing infrastructure.  It does not provide DHCP; the idea
+## is to chainload the LiveBox' menu (iPXE or Grub) from PXE
+## infrastructure already in place.
+##
+## To chainload the LiveBox in iPXE use:
+##  > item livebox Chainload Menu from LiveBox
+##  > …
+##  > :livebox chain tftp://livebox.lan/d-i/n-a/menu.ipxe
+##
+## To chainload the LiveBox in Grub use:
+##  > menuentry 'Chainload Menu from LiveBox' {
+##  >   configfile (tftp,livebox.lan)/d-i/n-a/grub/grub.cfg
+##  > }
+---
+- name: apply configuration to the livebox
+  hosts: all
+  remote_user: ansible
+  become: true
+
+  vars:
+    extra_pkgs:
+      - lighttpd
+      - nfs-kernel-server
+    extra_pkgs_bpo:
+      - atftpd
+      - di-netboot-assistant
+
+    live_images:
+      - iso: 'debian-live-11.3.0-amd64-gnome+nonfree.iso'
+        name: 'gnome'
+      - iso: 'debian-live-11.3.0-amd64-kde+nonfree.iso'
+        name: 'kde'
+      - iso: 'debian-live-11.3.0-amd64-standard+nonfree.iso'
+        name: 'standard-cli'
+    live_url: 'https://cdimage.debian.org/cdimage/unofficial/non-free/cd-including-firmware/11.3.0-live+nonfree/amd64/iso-hybrid/'
+    di_dist: "{{ ansible_distribution_release }}"
+    di_version: "{{ ansible_distribution_major_version }}"
+    di_pkg: "debian-installer-{{ di_version }}-netboot-amd64"
+    boot_params:
+      - boot=live
+      - netboot=nfs
+      - components
+      - locales=de_DE.UTF-8
+      - keyboard-layouts=de
+      - quiet
+      - splash
+#      - noroot
+
+    ansible_python_interpreter: "/usr/bin/python3"
+
+  pre_tasks:
+    - name: preseed atftpd
+      debconf:
+        name: atftpd
+        question: atftpd/basedir
+        value: /var/lib/tftpboot
+        vtype: string
+
+  roles:
+    - up2date_debian
+    - netbootinstaller
+    - aptcacher
+    - debianlive
diff --git a/roles/aptcacher/tasks/main.yml b/roles/aptcacher/tasks/main.yml
index 01b745d..64f56ed 100644
--- a/roles/aptcacher/tasks/main.yml
+++ b/roles/aptcacher/tasks/main.yml
@@ -23,6 +23,10 @@
     replace: 'd-i mirror/http/proxy string http://{{ ansible_hostname }}:3142/'
   when: preseedcfg.stat.exists
 
+- name: test if firewalld is available
+  stat: path=/usr/sbin/firewalld
+  register: firewalld
+
 - name: allow apt-cacher-ng service in firewalld
   firewalld:
     zone: internal
@@ -30,11 +34,11 @@
     permanent: true
     immediate: true
     state: enabled
-  when: not run_in_installer|default(false)|bool
+  when: not run_in_installer|default(false)|bool and firewalld.stat.exists
 
 - name: allow apt-cacher-ng service in firewalld, offline
   command: "firewall-offline-cmd --zone=internal --add-port=3142/tcp"
-  when: run_in_installer|default(false)|bool
+  when: run_in_installer|default(false)|bool and firewalld.stat.exists
 
 - name: flush handler to make apt-cacher available
   meta: flush_handlers
diff --git a/roles/debianlive/handlers/main.yml b/roles/debianlive/handlers/main.yml
new file mode 100644
index 0000000..affc752
--- /dev/null
+++ b/roles/debianlive/handlers/main.yml
@@ -0,0 +1,10 @@
+---
+- name: rebuild di-netboot assistant menu
+  command:
+    cmd: di-netboot-assistant rebuild-menu
+  listen: rebuild di-netboot menu
+
+- name: export nfs
+  command:
+    cmd: exportfs -ra
+  listen: export nfs
diff --git a/roles/debianlive/tasks/main.yml b/roles/debianlive/tasks/main.yml
new file mode 100644
index 0000000..23dcd11
--- /dev/null
+++ b/roles/debianlive/tasks/main.yml
@@ -0,0 +1,106 @@
+---
+- name: download debian-live images
+  get_url:
+    url: "{{ live_url }}{{ item.iso }}"
+    dest: "/var/cache/di-netboot-assistant/{{ item.iso }}"
+    checksum: "sha256:{{ live_url }}/SHA256SUMS"
+  loop:
+    "{{ live_images }}"
+
+- name: prepare live image directory
+  file:
+    path: "/var/lib/tftpboot/d-i/n-live/{{ item.name }}"
+    state: directory
+    mode: 0755
+  loop:
+    "{{ live_images }}"
+
+- name: loop mount iso images
+  mount:
+    path: "/var/lib/tftpboot/d-i/n-live/{{ item.name }}"
+    src: "/var/cache/di-netboot-assistant/{{ item.iso }}"
+    fstype: iso9660
+    opts: loop,ro,nofail
+    state: mounted
+  loop:
+    "{{ live_images }}"
+  notify: rebuild di-netboot menu
+
+- name: prepare http downloads
+  file:
+    src: "/var/lib/tftpboot/d-i/"
+    dest: "/var/www/html/d-i"
+    state: link
+
+- name: export live image squashfs
+  lineinfile:
+    path: /etc/exports
+    line: "/var/lib/tftpboot/d-i/n-live/ *(ro,crossmnt,no_subtree_check)"
+  notify: export nfs
+
+- name: configure ipxe boot menu address
+  replace:
+    path: /etc/di-netboot-assistant/ipxemenu.HEAD
+    regexp: '^(set 210:string tftp://\${next-server}/)$'
+    replace: '#\1\nset 210:string http://{{ ansible_default_ipv4.address }}/'
+  notify: rebuild di-netboot menu
+
+- name: configure grub boot menu addresses
+  lineinfile:
+    path: /etc/di-netboot-assistant/grub.cfg.HEAD
+    line: "{{ item }}"
+  loop:
+    - "set root=(http,{{ ansible_default_ipv4.address }})"
+    - "set pxe_default_server={{ ansible_default_ipv4.address }}"
+  notify: rebuild di-netboot menu
+
+- name: prepare debian live nfs boot entry title
+  lineinfile:
+    path: /etc/di-netboot-assistant/ipxemenu.HEAD
+    insertafter: '^menu iPXE Boot Menu'
+    line: "item {{ item.name }} Debian GNU/Linux {{ item.name }} NFS"
+  loop:
+    "{{ live_images }}"
+  notify: rebuild di-netboot menu
+
+- name: find kernel version
+  shell:
+    cmd: >-
+      basename /var/lib/tftpboot/d-i/n-live/{{ item.name }}/live/vmlinuz*
+      | sed "s/vmlinuz-//"
+  register: images
+  changed_when: false
+  loop:
+    "{{ live_images }}"
+
+- name: prepare debian live boot loader ipxe
+  blockinfile:
+    path: /etc/di-netboot-assistant/ipxemenu.HEAD
+    marker: "# {mark} ANSIBLE MANAGED BLOCK {{ item.item.name }}"
+    block: |
+      :{{ item.item.name }}
+          echo Booting Debian GNU/Linux {{ item.item.name }}
+          kernel ${210:string}d-i/n-live/{{ item.item.name }}/live/vmlinuz-{{ item.stdout }} \
+          initrd=initrd.img-5.10.0-13-amd64 {{ boot_params|join(' ') }} \
+          nfsroot={{ ansible_default_ipv4.address }}:/var/lib/tftpboot/d-i/n-live/{{ item.item.name }}/
+          initrd ${210:string}d-i/n-live/{{ item.item.name }}/live/initrd.img-{{ item.stdout }}
+          boot
+  loop:
+    "{{ images.results }}"
+  notify: rebuild di-netboot menu
+
+- name: prepare debian live boot loader grub
+  blockinfile:
+    path: /etc/di-netboot-assistant/grub.cfg.HEAD
+    insertbefore: "^menuentry 'Boot from local disk..'"
+    marker: "# {mark} ANSIBLE MANAGED BLOCK {{ item.item.name }}"
+    block: |
+      menuentry 'Debian GNU/Linux Live {{ item.item.name }}' {
+          linux (http,{{ ansible_default_ipv4.address }})/d-i/n-live/{{ item.item.name }}/live/vmlinuz-{{ item.stdout }} \
+          {{ boot_params|join(' ') }} \
+          nfsroot={{ ansible_default_ipv4.address }}:/var/lib/tftpboot/d-i/n-live/{{ item.item.name }}/
+          initrd (http,{{ ansible_default_ipv4.address }})/d-i/n-live/{{ item.item.name }}/live/initrd.img-{{ item.stdout }}
+      }
+  loop:
+    "{{ images.results }}"
+  notify: rebuild di-netboot menu
diff --git a/roles/sambaldap/tasks/main.yml b/roles/sambaldap/tasks/main.yml
index 3176861..846bf69 100644
--- a/roles/sambaldap/tasks/main.yml
+++ b/roles/sambaldap/tasks/main.yml
@@ -89,7 +89,7 @@
     before: '\[.+\]'
   notify: restart smbd
 
-- name: make smb homes writable
+- name: modify samba default create mask
   replace:
     path: /etc/samba/smb.conf
     regexp: '^(\s*create mask =) 0700'